Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5547

Agent behaviour when appending goto= to LoginURLs is not compatible with XUI login URL

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Agents-3.3.3, 12.0.0, 13.0.0, 13.5.0
    • Fix Version/s: 14.0.0
    • Component/s: XUI
    • Support Ticket IDs:

      Description

      DESCRIPTION
      ============

      This is apparent when using a login URL that points directly to the XUI login:

      e.g

      http://openam.example.com:8080/openam/XUI/#login/

      The agent will append ?goto= to the end of this which is then parsed as the realm for login causing a failure to load. The agent should append &goto=... for this to work.

      Setting the login URL to something with an & causes the agent to normalise with &goto= instead, e.g:

      http://openam.example.com:8080/openam/XUI/#login/&

      This works, but does not seem to be an intuitive solution. The default loginURL points to /openam/UI/Login which will then redirect correctly to XUI/#login/, however this seems like an inefficient extra step to go through each time.

      RECREATION STEPS
      ================
      Test Parameters
      Managed Resource urls should include differing protocol, trailing and non trailing slashes, parameters
      http://iisal.example.com
      http://iisal.example.com:80
      http://iisal.example.com/
      http://iisal.example.com:80/
      https://iisal.example.com
      https://iisal.example.com:443
      https://iisal.example.com/
      https://iisal.example.com:443/
      http://iisal.example.com/first
      http://iisal.example.com:80/first
      https://iisal.example.com
      https://iisal.example.com:443
      https://iisal.example.com/first
      https://iisal.example.com:443/first
      https://iisal.example.com:443/first?myparam=myvalue
      https://iisal.example.com:443/first?myparam=myvalue;secondparam=secondval
      https://iisal.example.com:443/first.asp?myparam=myvalue&secondparam=secondval
      https://iisal.example.com:443/first&myparam=myvalue
      https://iisal.example.com:443/first&myparam=myvalue
      https://iisal.example.com:443/myServlet/#tag
      https://iisal.example.com:443/myServlet/#tag&myparam=myvalue
      https://iisal.example.com:443/first/my.png
      https://iisal.example.com:443/first/second/my.png
      https://iisal.example.com:443/first/*/my.png

      OpenAM Login URLs should include Legacy UI and XUI and include the trailing &
      http://openam.example.com:8080/openam/XUI/#login
      http://openam.example.com:8080/openam/XUI/#login/
      http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm
      http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&
      http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&service=LDAPService
      http://openam.example.com:8080/openam/XUI/#login/&realm=/MyRealm
      http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm
      http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&
      http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&service=LDAPService
      http://openam.example.com:8080/openam/XUI/#login/&realm=/MyRealm
      http://openam.example.com:8080/openam/XUI/#login&realm=/MyRealm
      http://openam.example.com:8080/openam/XUI/#login/MyRealm
      http://openam.example.com:8080/openam/XUI/#login/MyRealm/
      http://openam.example.com:8080/openam/XUI/#login/MyRealm/&
      http://openam.example.com:8080/openam/UI/Login
      http://openam.example.com:8080/openam/UI/Login/
      http://openam.example.com:8080/openam/UI/Login?realm=MyRealm
      http://openam.example.com:8080/openam/UI/Login?realm=MyRealm&service=LDAPService
      http://openam.example.com:8080/openam/UI/Login?realm=/MyRealm
      http://openam.example.com:8080/openam/UI/Login?realm=/MyRealm&service=LDAPService
      http://openam.example.com:8080/openam/UI/Login/&realm=/MyRealm
      http://openam.example.com:8080/openam/UI/Login/Login.jsp
      http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=MyRealm
      http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=MyRealm&service=LDAPService
      http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=/MyRealm
      http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=/MyRealm&service=LDAPService

      Before
      Create realm MyRealm
      Configure agent against realm /MyRealm
      Setup SSO On;ly
      Before each
      Clear browser cache if using a browser.
      For (XUI turned off,XUI turned off)
      For each url in the login url types
      set the login url to be the next login url from the list (ssoadm set-attribute
      For each Managed Resource URL
      Send an HTTP GET to the url (curl -I "URL" could be used)
      Check the HTTP code and Location returned are as expected
      If you follow the url in a supported browser then the realm, service and goto parameters will be as expected and no errors will be reported.

      EXPECTED OUTCOME
      ================
      A 302 code should be produced
      The location should be a valid url that will work for all supported browsers.

      The key test is that the goto url should be using an ampersand for any XUI URLs or secondary parameters. For UI (or other urls) ?goto=should be used for the first query and & after that.
      http://openam.example.com:8080/openam/XUI/#login&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/XUI/#login/&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&service=LDAPService&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/XUI/#login/&realm=/MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&service=LDAPService&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/XUI/#login/&realm=/MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/XUI/#login&realm=/MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/XUI/#login/MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/XUI/#login/MyRealm/&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/XUI/#login/MyRealm/&goto=http%3A%2F%2Fiisal.example.com%3A80%2F

      For UI urls agent can't determine what the ultimate url will be since it does not know what state the XUI flag is in, so concentrate on getting the parameters correct
      http://openam.example.com:8080/openam/UI/Login?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/UI/Login/?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/UI/Login?realm=MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/UI/Login?realm=MyRealm&service=LDAPService&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/UI/Login?realm=/MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/UI/Login?realm=/MyRealm&service=LDAPService&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/UI/Login/&realm=/MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/UI/Login/Login.jsp?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=MyRealm&service=LDAPService&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=/MyRealm&goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:8080/openam/UI/Login/Login.jsp?realm=/MyRealm&service=LDAPService&goto=http%3A%2F%2Fiisal.example.com%3A80%2F

      After following this url, the correct login page should be displayed for the correct realm and service.

      ACTUAL OUTCOME
      ==============
      The goto parameter is incorrectly added to XUI &?. In some cases there will be an error displayed and the realm parameter may be deleted when the browser is used.
      http://openam.example.com:28080/openam/XUI/#login/&realm=MyRealm&?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:28080/openam/XUI/#login/&realm=MyRealm&service=LDAPService&?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:28080/openam/XUI/#login/&?goto=http%3A%2F%2Fiisal.example.com%3A80%2F
      http://openam.example.com:28080/openam/XUI/#login/MyRealm&service=LDAPService&?goto=http%3A%2F%2Fiisal.example.com%3A80%2F

      WORKAROUND
      ==========
      For XUI logins then put a trailing ampersand or use the old version

      http://openam.example.com:8080/openam/UI/Login?realm=MyRealm
      http://openam.example.com:8080/openam/XUI/#login/&realm=MyRealm&

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                julian.kigwana@forgerock.com Julian Kigwana [X] (Inactive)
                Reporter:
                ian.packer Ian Packer [X] (Inactive)
              • Votes:
                3 Vote for this issue
                Watchers:
                18 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: